On Fri, 2009-05-15 at 12:15 -0700, John Hardin wrote:
> On Fri, 15 May 2009, McDonald, Dan wrote:
>
> > Or would it be better to just overwrite ADVANCE_FEE_{2,3,4} with more
> > subtests?
>
> The sought_fraud rules are dynamically generated from current 419 emails.
> Were you aware of them? Granted, they are rather large...
Yes, I have them. They are in the same channel as the rest of the
sought rules.
$ grep -o -P 'JM_SOUGHT_FRAUD_\d' /var/log/mail/info | sort | uniq -c
452 JM_SOUGHT_FRAUD_1
775 JM_SOUGHT_FRAUD_2
1174 JM_SOUGHT_FRAUD_3
Reasonable overlap with the built-in ADVANCE_FEE rules:
$ grep ADVANCE_FEE /var/log/mail/info | grep -o -P 'JM_SOUGHT_FRAUD_\d'
| sort | uniq -c
338 JM_SOUGHT_FRAUD_1
555 JM_SOUGHT_FRAUD_2
731 JM_SOUGHT_FRAUD_3
$ grep ADVANCE_FEE /var/log/mail/info | grep -vc
'JM_SOUGHT_FRAUD_'
1038
But there are still 419's getting through. One lady has been inundated
with them.
Maybe just a meta with __FRAUD_DBI && __HAS_ANY_EMAIL would be enough...
>
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
